This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 83%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I am trying advanced hunting queries towards the endpoint "[https://api-eu.securitycenter.microsoft.com/api/advancedqueries/run"
The permissions, tokens and app permissions is already configured. The problem now is that some queries give me result back and some give HTTP 400 Bad request.
This query works:
$query = @"
DeviceProcessEvents
|where FileName =~ 'powershell.exe'
|limit 10
"@
These two doesn't work, I get HTTP 400 Bad request back
$query = @"
RegistryEvents | limit 10
"@
$query = @"
SecurityEvent
|where EventID in (4624, 4625)
|where AccountType == 'User'
|summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Amount = count() by LogonTypeName
|extend timestamp = StartTimeUtc
"@
So, what might be the problem? Is it granular permissions that enabled me to check "DeviceProcessEvents" but not "RegistryEvents?
Is it a license issue? We have Microsoft Defender for Endpoint Plan 2.
Is it some kind of syntax issue? I am just copy/pasting these queries from [https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-full-sample-powershell?view=o365-worldwide and [https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/RareProcess_forWinHost.yaml and [https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Daniel Apologies for the delay in reviewing this post, researched on your ask what I can notice is RegistryEvents or SecurityEvent do you have schema defined in your security portal, this query worked - DeviceProcessEvents for you because there is a table defined for the same, (https://security.microsoft.com) below is the screenshot from my portal, would recommend when you run these queries match the tables which within the schema section of your portal and see if this suggestion helps to answer your query.
Reference:
[https://learn.microsoft.com/en-us/microsoft-365/security/defender/api-error-codes?view=o365-worldwide#:~:text=by%20angle%20brackets.-,Error%20codes,-Error%20code
Understand the advanced hunting schema
Let me know if you have any further questions, feel free to post back.
@Daniel Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Yes, now I apologize for the delay. The screenshot you posted of the databases and the available columns helped me understand more of what can be copy/pasted from communities :)
@Daniel Thanks for the update.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 67%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Hi, I have the same issue with the table IdentityInfo and it exists in the schema. The server response 400 Bad Request while, testing with the table DeviceEvents, the server returns the result as expected
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 0%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
I get a 400 whenever I try to include a '>' symbol in the query.
I have tried converting to JSON which creates a character code (\u003e) which also fails.
So I suspect there is more documentation required RE escaping some query characters, given the API calls succeed in the API explorer web UI